Step-by-Step Guide to Creating an AWS VPC and NAT Gateways

In this blog post I’m going to provide a step-by-step guide to create an AWS VPC. I’ll walk through how to create an Internet Gateway and configure a couple of Public Subnets that are spread across two Availability Zones for High Availability whilst also creating a custom route table to enable the Public Subnets to access the Internet. Next I’ll configure a couple of Private Subnets that are also spread across two Availability Zones and will then configure a NAT Gateway to allow these Private Subnets the ability to connect to the Internet for operating system patches whilst not allowing anything on the Internet the ability to connect to these Private Subnets. For the purpose of this I’m going to be using the eu-west-1 AWS Region.

Creating the VPC

Login to the AWS Management Console.

Navigate to Networking & Content Delivery.

Click “VPC”.

From within the VPC Dashboard, Click “Your VPCs”.

Click “Create VPC”.

Specify the Name of the VPC e.g. ‘MyVPC’.

Specify the IPv4 CIDR block e.g. ‘192.168.0.0/16’.

Click “Yes, Create”.

Creating the Internet Gateway

From within the VPC Dashboard, Click “Internet Gateways”.

Click “Create Internet Gateway”.

Specify the Name of the Internet Gateway e.g. ‘MyIGW’.

Click “Yes, Create”.

Creating the Public Subnets

From within the VPC Dashboard, Click “Subnets”.

Click “Create Subnet”.

Specify the Name of the Subnet e.g. ‘MyPublicSubnet – AZ A‘.

Select the VPC that was previously created e.g. ‘MyVPC’.

Select the Availability Zone e.g. ‘eu-west-1a’.

Specify the IPv4 CIDR block for the Subnet e.g. ‘192.168.1.0/24’.

Select the checkbox for the Subnet and then Click “Subnet Actions”.

Click “Modify auto-assign IP settings”.

Select the checkbox for “Auto-assign IPs” and Click “Save”.

Click “Create Subnet”.

Specify the Name of the Subnet e.g. ‘MyPublicSubnet – AZ B’.

Select the VPC that was previously created e.g. ‘MyVPC’.

Select the Availability Zone e.g. ‘eu-west-1b’.

Specify the IPv4 CIDR block for the Subnet e.g. ‘192.168.2.0/24’.

Select the checkbox for the Subnet and then Click “Subnet Actions”.

Click “Modify auto-assign IP settings”.

Select the checkbox for “Auto-assign IPs” and Click “Save”.

Creating the Route Table to Enable Internet Access for the Public Subnets

From within the VPC Dashboard, Click “Route Tables”.

Click “Create Route Table”.

Specify the Name of the Route Table e.g. ‘MyInternetRouteTable’.

Select the VPC that was previously created e.g. ‘MyVPC’.

Click “Yes, Create”.

Select the Route Table that was previously created e.g. ‘MyInternetRouteTable’.

Click on the “Routes” Tab.

Click “Edit”.

In the Destination textbox, type ‘0.0.0.0/0’.

In the Target textbox, Select the Internet Gateway that was previously created e.g. ‘MyIGW’.

Select the Public Subnet that was previously created e.g. ‘MyPublicSubnet – AZ A’.

Click “Create New EIP”.

Click “Create NAT Gateway”.

Click “Create NAT Gateway”.

Select the Public Subnet that was previously created e.g. ‘MyPublicSubnet – AZ B’.

Click “Create New EIP”.

Click “Create NAT Gateway”.

Creating the Private Subnets

From within the VPC Dashboard, Click “Subnets”.

Click “Create Subnet”.

Specify the Name of the Subnet e.g. ‘MyPrivateSubnet – AZ A’.

Select the VPC that was previously created e.g. ‘MyVPC’.

Select the Availability Zone e.g. ‘eu-west-1a’.

Specify the IPv4 CIDR block for the Subnet e.g. ‘192.168.10.0/24’.

Click “Create Subnet”.

Specify the Name of the Subnet e.g. ‘MyPrivateSubnet – AZ B’.

Select the VPC that was previously created e.g. ‘MyVPC’.

Select the Availability Zone e.g. ‘eu-west-1b’.

Specify the IPv4 CIDR block for the Subnet e.g. ‘192.168.20.0/24’.

Creating the Route Table for the Private Subnets to Access the Internet via the NAT Gateways

From within the VPC Dashboard, Click “Route Tables”.

Click “Create Route Table”.

Specify the Name of the Route Table e.g. ‘MyPrivateSubnetA-InternetRouteTable’.

Select the VPC that was previously created e.g. ‘MyVPC’.

Click “Yes, Create”.

From within the VPC Dashboard, Click “NAT Gateways”.

Make a note of the corresponding NAT Gateways ID’s and the Private IP Address assigned to the NAT Gateway. Given we’ve created 2 NAT Gateways in different Public Subnets that are located in different Availability Zones, we want to configure our Private Subnets in those Availability Zones to use the local NAT Gateway e.g. Private Subnet A will use the NAT Gateway in the Public Subnet A and likewise for the other Availability Zone.

Select the Route Table that was previously created e.g. ‘MyPrivateSubnetA-InternetRouteTable’.

Click on the “Routes” Tab.

Click “Edit”.

In the Destination textbox, type ‘0.0.0.0/0’.

In the Target textbox, Select the NAT Gateway that was previously created that was associated with the Public Subnet in Availability Zone A e.g. ‘NAT Gateway ID A’.

Click “Save”.

Click on the “Subnet Associations” Tab.

Click “Edit”.

Select the checkbox for the Public Subnets e.g. ‘MyPublicSubnet – AZ A’.

Click “Save”.

Select the Route Table that was previously created e.g. ‘MyPrivateSubnetB-InternetRouteTable’.

Click on the “Routes” Tab.

Click “Edit”.

In the Destination textbox, type ‘0.0.0.0/0’.

In the Target textbox, Select the NAT Gateway that was previously created that was associated with the Public Subnet in Availability Zone A e.g. ‘NAT Gateway ID B’.

Click “Save”.

Click on the “Subnet Associations” Tab.

Click “Edit”.

Select the checkbox for the Public Subnets e.g. ‘MyPublicSubnet – AZ B’.

Click “Save”.

That’s it, we’ve now configured the VPC with both Public and Private Subnets. The Public Subnets can access the Internet by routing out via the Internet Gateway. Therefore if you were to launch an EC2 Instance into either of the Public Subnets you could run a ‘sudo yum update -y’ on a Linux Instance and it would update it’s patches accordingly.

The Private Subnets can access the Internet by proxying through the appropriate NAT Gateway, that then has the ability to access the Internet by routing out via the Internet Gateway. Similarly if you launch an EC2 Instance into either of the Private Subnets you could run a ‘sudo yum update -y’ on a Linux Instance and it would also update it’s patches.